From f7a1c2a99a52d264514e7db904dc079e53178fd0 Mon Sep 17 00:00:00 2001
From: David Pursehouse <dpursehouse@collab.net>
Date: Fri, 25 Aug 2017 19:12:54 +0900
Subject: [PATCH] AuthConfig: Disallow invalid combination of auth.type and
 auth.gitBasicAuthPolicy

Add checks and throw an invalid state exception when an invalid
combination of auth.gitBasicAuthPolicy and auth.type is detected.

- When auth.gitBasicAuthPolicy is HTTP_LDAP, the auth.type should be
  either LDAP or LDAP_BIND.

- When auth.gitBasicAuthPolicy is OAUTH, auth.type should be OAUTH.

Also add missing reference to LDAP_BIND in the documentation.

Bug: Issue 7086
Change-Id: I4917a45a8ea21af7afa870900caa29224fd0606e
---
 Documentation/config-gerrit.txt                        |  2 +-
 .../com/google/gerrit/server/config/AuthConfig.java    | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/Documentation/config-gerrit.txt b/Documentation/config-gerrit.txt
index dd670c1e58..b7100ff0a2 100644
--- a/Documentation/config-gerrit.txt
+++ b/Documentation/config-gerrit.txt
@@ -537,7 +537,7 @@ By default this is set to false.
 
 [[auth.gitBasicAuthPolicy]]auth.gitBasicAuthPolicy::
 +
-When `auth.type` is `LDAP` or `OAUTH`, it allows using either the generated
+When `auth.type` is `LDAP`, `LDAP_BIND` or `OAUTH`, it allows using either the generated
 HTTP password, the LDAP or OAUTH password, or a combination of HTTP and LDAP
 authentication, to authenticate Git over HTTP and REST API requests.
 The supported values are:
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java b/gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java
index 6cdb5e56c2..2382809ea5 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/config/AuthConfig.java
@@ -96,6 +96,16 @@ public class AuthConfig {
     userNameToLowerCase = cfg.getBoolean("auth", "userNameToLowerCase", false);
     allowRegisterNewEmail = cfg.getBoolean("auth", "allowRegisterNewEmail", true);
 
+    if (gitBasicAuthPolicy == GitBasicAuthPolicy.HTTP_LDAP
+        && authType != AuthType.LDAP
+        && authType != AuthType.LDAP_BIND) {
+      throw new IllegalStateException(
+          "use auth.gitBasicAuthPolicy HTTP_LDAP only with auth.type LDAP or LDAP_BIND");
+    } else if (gitBasicAuthPolicy == GitBasicAuthPolicy.OAUTH && authType != AuthType.OAUTH) {
+      throw new IllegalStateException(
+          "use auth.gitBasicAuthPolicy OAUTH only with auth.type OAUTH");
+    }
+
     String key = cfg.getString("auth", null, "registerEmailPrivateKey");
     if (key != null && !key.isEmpty()) {
       int age =